You probably know that you should take care when using an ATM, but how can you know for sure that the device has been compromised – and what should you do upon realising this?

What Is ATM Crime?

ATMs in the wall of banks, railway stations, hotels, supermarkets and other locations contain a lot of money. Attempting to remove the money by force will result in the notes being dyed, becoming easy to trace alongside the perpetrators. This has more or less ended the practice of physical brute force attacks on ATMs, as well as attempts to steal the whole devices (a practice common in the 1990s using four wheel drive trucks with winches or heavy-duty towbars).

Instead, thieves have opened a new line of attack: through you. There are three distinct types of ATM crime. The first is when someone waits for you to withdraw cash and then steals it from you. The second occurs when a victim is forced under duress to make a withdrawal and hand it over to the criminal. Third is the mode by which your PIN is observed and your card stolen.

The vast majority of ATM crime is based on a digital variant of this third method. This way there is no physical crime and those plotting the scam can remain comparatively anonymous, largely avoiding recognition in person or by camera. They visit the scene of the crime just a couple of times to install and later remove the hardware modifications they’ve made to the ATM.

Using An ATM Safely

Increasingly concerned about their customers’ use of ATMS, over the past few years banks have begun to take the issue of ATM crime seriously. Before we look at how you can spot a cash point or hole-in-the-wall that has been modified by criminals, let’s take a look at how you can use these devices safely.

The first thing to do is avoid using an ATM, wherever possible. If the option to queue at the bank and take money out of your account over the counter is available, you should take it. Opting for cashback in your supermarket is another alternative.

If you must use an ATM, ensure that there are no obvious modifications. Next, look around you to check no one is too close – ask them to step back if they are. When inputting your PIN, ensure your spare hand is covering the number you enter – you don’t want anyone else to know it, do you?

Make sure you quickly remove your card and put it away safely and securely; repeat for your withdrawal, then take one more look around you before you move away from the machine to a safe area, before continuing upon your business.

Finally, assume that any ATM or automated card payment machine can be compromised. Several card payment devices in petrol pumps have been compromised over the past few months and the possibility that other similar devices (such as self-service payment aisles in supermarkets) could be modified by scammers should not be overlooked.

What Does A Compromised ATM Look Like?

Identifying an ATM that has been modified is not easy. Scammers use fake card readers, fake keyboards and even cameras, styled to look like the originals that they cleverly fit over the top of.

Close inspection of a compromised ATM should reveal one of the following, however:

Fake keyboard – this sits over the original, and features keylogging software that records every PIN. As the PIN is entered each key press will push down on the original keys below, leaving the user none the wiser.

Fake card reader – these have developed considerably over the past few months. Miniaturisation has resulted in skimmer devices that sit inside the original card reader, whereas previously they might have sat on top. Recently new and some older ATMs have been fitted with “anti-skimmer” devices that purport to prevent skimmers from being fitted (pictured above).

Cameras – not to be confused with the ATM’s built-in camera, which is intended to record your face rather than your PIN. These are used as an alternative to the fake keyboard, but will be positioned so that the PIN can be recorded. Any part of the ATM that seems slightly too big is a potential home for a hidden camera, whose presence will often be betrayed by a small hole.

Meanwhile, a machine that has been hacked but in a state of unreadiness might be displaying the operating system boot screen or desktop (or even the warning message displayed below), often Windows XP or its embedded alternative.

I Found A Dodgy ATM – What Next?

If you find an ATM that you believe has been compromised, there are two things you should do. The first is to inform the owner straight away. This might mean popping into the bank or business that owns or rents the device and reporting the incident, or making a phone call to their ATM security team.

You should also take to your social networking account to report the ATM to your friends in the area. Better still if there is a local news group in operation, share it here too. The more people that know about the scam, the less chance anyone has of being taken in by it. You might also consider leaving a note on the device informing other potential users of your discovery.

Have you ever encountered a compromised ATM, or been the victim of cash machine that has been modified by scammers? Let us know what happened!

Your email address will not be published. Required fields are marked *

Comment

Name *

Email *

Kevin M

July 22, 2014 at 12:16 pm

Thanks. Raising awareness of this sort of ATM crime is useful. It's also always good advice to be aware of what is going on around you when using an ATM. All sorts of things can go wrong. It's practically impossible to spot a compromised machine, specially abroad where they may not look the same as those you are used to.

Very interesting article, and I agree; you've really got to be careful these days. I'm disgusted at how some of my mates disregard their security so easily - to the point of them having a go at me for not being so careless!

I always use the ATMs inside banks instead; it may not be perfect, but it's surely got to be more secure locked up over night and watched/video-taped every day than being outside, prone to compromise!

safer ATMs would be those that are inside bank branches themselves. (I hail from Singapore) Where I live, a few bank branches employ security staff who are meant to watch over the lobby and ATM areas of banks.

When I was living in London, I don't specifically recall such measures, but still found it safer to use ATMs within the bank branch itself.

Unless... the staff are untrustworthy.. there will always be some risk involved where ATM use is concerned.

To be fair they are all right in the comments regards the info and the thing thats much more worrying and that is that this is a little dated but these practises are still in use although there are more sophisticated ways of robbing your money via ATM transaction. ATM machines can be hacked ! The electronic movement of money is swift and can easily exceed the daily limit which is overridden and there need never be a physical interaction with the machine for your money to be stolen. Also the chip and pin that people are told is supersafe is most certainly not and can be compromised within minutes (ask the guys that helped test it)
It happens and it happened to me.I got cleaned out left with nothing and the bank did not honour their responsibilities. They should give you back any money that has been removed that was not authorised . Do not back off and remember its up to your bank to prove it was not you if they are in any doubt.You do not need card protection for debit cards because if you fall for that scam you will end up in a pass the buck situation for years.Exactly as it was designed to do and your bank KNOWS this.
Make sure you keep receipts as it proves the time and and your physical location, just incase your compromised and you can then prove your whereabouts. Your card can be on you without you worrying that they wont believe you or care. They do not need to use any physical means that belong to you to take your dosh. Dont listen to the IT WAS CHIP AND PIN SO ITS NOT CLASSED AS FRAUD OR THEFT. This is an absolute lie. It is and it happens every day.

"I agree also! It simply wasn’t possible within the time constraints available."

well. it seems to me instead of simply slapping a half finished article up and agreeing that it could have been done better you should have done something different , rather than waste readers time with this ...article you posted .

Why would an ATM running XP be any more vulnerable to external attack than any other operating system. Which is what your article is meant to be about.
XP would only be vulnerable from a network attack, you ever tried to hack a banks network then ?
How would an ordinary ATM user know what operating system is running in the back ground ?
Non of your photographs display what an actual fraud device looks like.

My card was compromised last year at a Race Track ATM. I didn't even know it happened till my bank emailed me to inform me of the breach. Within 24 hours my bank had reimbursed me all the money and issued me a new card. The ATM I used is one that instead of being inside the store was actually located outside the store fitted to the wall. I don't use Race Track ATMs anymore because of this but I hasn't stopped me from using ATMs for good.

Avoid using ATM's? Then why not avoid getting into cars too? Cars are a lot more dangerous!!

Thus far, I have been to 70+ countries around the world -- with only a small handful that are without internationally-linked ATM's. Otherwise, I use ATM's everywhere. Yes, even in supposedly-dodgy countries like Russia, Ukraine, China... Their ATM's worked flawlessly.

The only time I got into a mishap (I always had my card on me, but thieves managed to withdraw from my checking account somehow) was in Nicaragua. But all I had to do was inform my card issuer (Capital One) -- and the amount was returned to me in three days. I did not lose a single cent.

So, zero risk? No, but the risk is very small, and even if that should happen to you, all you have to do is let your bank know in a timely manner.

Idiotic to avoid ATM's altogether. Very few people use travelers checks anymore. And the alternative of traveling with wads of cash in your pockets is much, much more dangerous.

The only thing "spurious" is telling people to avoid ATM's -- whereas a more intelligent approach would be to help people manage risk instead of avoiding them -- esp. something as low risk and low impact as using an ATM. All one needs is common sense precaution and vigilance.

But like so much with our popular media today -- you gunned for attention by sensationalizing. The shame.

@Brad - An idiotic response from an idiot? Tell people specifically that it isn't zero risk -- and they give you a cheap pot shot instead.

Christian Cawley is MakeUseOf's security and Linux editor, with extensive experience in IT desktop and software support. Christian is a regular contributor to print publications such as Linux User & Developer, as well as a number of specials: Raspberry Pi for Beginners, Expert Android, The iPad Book Vol 6, WordPress…